VPN bypass

[sapstar66]

Hi guys...

New member and newbie here. I've search this forum without success, so maybe what I'm trying to do is not doable... but here it goes.

I'm on a RT-AC66U 380.60.2

I've setup an L2TP vpn and connected successfully to it (Smartdnsproxy) Everything is working well except for one thing.

My alarm system needs to connect to my ISP's SMTP server to send me emails. If I'm connected to the VPN, the SMTP server doesn't recognize the address as a local on and rejects the request.

Would there be a way to have my alarm's local IP to bypass the VPN ?

Thanks in advance!

J.P.

 

[Martineau]

Would there be a way to have my alarm's local IP to bypass the VPN ?

The Selective Routing thread(s) has a lot of info - mainly for OpenVPN selective routing, but also some legacy PPTP/L2TP selective routing examples.

Normally only certain designated devices/subnets are explicitly routed via the VPN, whereas you require the reverse?

As a test you can try the following

i.e. when the L2TP VPN connection is up, everything on your LAN should be correctly routed via the L2TP VPN? - including your laptop/PC with I/P xxx.xxx.xxx.xxx

e.g. Access https://ipleak.net and note your VPN IP address/geo-location

Then execute the following commands from the SSH prompt

ip route show table main | grep -v ppp5 | while read ROUTE;do ip route add table 77 $ROUTE;done
ip rule add from xxx.xxx.xxx.xxx table 77 prio 700
ip route flush cache

Now try https://ipleak.net and see if you now have the WAN IP address/geo-location


To revert your laptop/PC xxx.xxx.xxx.xxx default routing back via the L2TP VPN issue

ip rule del prio 700

If it worked, you should now be able to force your alarm device xxx.xxx.xxx.xxx via the WAN for the SMTP server zzz.zzz.zzz.zzz:25

ip rule add from xxx.xxx.xxx.xxx to zzz.zzz.zzz.zzz table 77 prio 700

NOTE: Omit the SMTP destination 'to zzz.zzz.zzz.zzz' directive if there are possibly multiple SMTP servers that are not static - reduces maintenance.
(If there is a static range that can be covered by a subnet mask then use the following syntax 'to zzz.zzz.zzz.zzz/nn' or use multiple add directives etc.)

EDIT: Use table 77 rather than 100 reserved by Asus

 

[sapstar66]

Thank you Martineau,

As I tried it yesterday, I made a booboo and (almost-)bricked my router. Spent the rest of the day de-bricking it! I will give this a try for sure.

 

[Martineau]

Thank you Martineau,

As I tried it yesterday, I made a booboo and (almost-)bricked my router. Spent the rest of the day de-bricking it! I will give this a try for sure.

I trust none of my commands were involved in your embarrassing PEBKAC moment?

 

[sapstar66]

well yes... but not your fault... as I did the paste of the command line, I didn't replace the xxx stuff and accidentally hit return ... everything went dead from then on !

 

[Martineau]

well yes... but not your fault... as I did the paste of the command line, I didn't replace the xxx stuff and accidentally hit return ... everything went dead from then on !

Hmmm, I'm not disputing your perceived 'bricking' moment, but I've just tried the invalid command myself:

admin@RT-AC68U:/jffs/scripts# ip rule add from xxx.xxx.xxx.xxx table 100 prio 700
Error: an inet prefix is expected rather than "xxx.xxx.xxx.xxx".

...and I'm still here...no smoking router!

Which router are you using?

 

[sapstar66]

ASUS rt-ac66u...

I entered only the 2 first lines... Then the internet died... Then I couldn't connect to the router...

I'm sure it's a code 18... And I'm back so.... I'll get to try it again later today.

Thanks again. I'll keep in touch

 

[Martineau]

ASUS rt-ac66u...

I entered only the 2 first lines... Then the internet died... Then I couldn't connect to the router...

I'm sure it's a code 18... And I'm back so.... I'll get to try it again later today.

Thanks again. I'll keep in touch

Ahh perhaps Asus still reserves table 100?, so substitute say table 77

 

[sapstar66]

So just to be sure...

Command line with table 100 or 77?

 

[Martineau]

So just to be sure...

Command line with table 100 or 77?

77

 

[sapstar66]

Havev't forgotten about this... will try it this weekend...